So, we all know about the security scammer now, and the different ways he is working to defraud innocent users and steal their data and money. It has been quite an experience tracking this scam down and getting all the facts right (from the technical aspect of inspecting the keylogger and binaries used to sniff your data, to actually communicating with the scammer and getting his take on things).

Nevertheless, I must say that I appreciate the consistency in which our scammer (I’ll call him Fadzil Mahfodh as that’s his real name) has been trying to mask his wrongdoings. From trying to go around the facts and divert us to other software:

To “bragging” about his skills and the fact that his scripts are “leet” enough to get past some people:

And finally to the obvious – throwing a fit and trolling – initially by threatning to post my picture and CV on adult websites (what would my CV be good for on an adult site anyway??? must be a Malaysian thing ):

All of which has been accompanied by adding my picture to his website (wow! I’m famous now!):

Getting it removed by the Google Blogger DMCA team, opening up a new blog site to accompany the specific “hack wpa without a dic” post along with my picture, and making some cosmetic changes to the site, removing the FBI log (which has been replaced with a larger DHS logo), and adding a disclaimer at his website stating that this is all a mistake, that I have been trying to pressure him into criminal actions, and that he has all our communications logged and will be happy to use it to prosecute. Too bad this has been removed from his site before I had a chance to document it – but trust me it was there! Pure epicness!

Now, I know – it’s not really fair to pick on these guys that hard. That’s why I’m leaving this to the Malaysia CERT (as you may have noticed, 1337 Fadzil forgot to proxy his connections to this blog and his IP has been logged on all comments and relevant hits on the site), to figure out how to handle. I truly hope that his suggestion to use the details provided on his paypal account and bank account will actually yield some results, and wish our friend the best of luck in his endeavors in the security business (although I highly doubt he’ll be at DefCon later this week).

Below are attached some of the additional supporting materials for the sake of fully disclosing all the communications with Fadzil.

Apache-access-log_FILTERED, Fadzil-chat, karma-decoded.sh, bg2-decoded.sh

Related posts:

1. How [not to] scam security people
2. The Turkish hack and another case for IL-CERT
3. Identity crisis

According to a report, the most common malware attack in 2007 is the notorious IFRAME.

On our monthly and quarterly reports we provided more in-depth analysis of such top-ranking IFRAME and obfuscated code.
In Finjan’s terminology, the top-ranked virus IFRAME is not a malware or a virus, it’s more like how criminals are directing users’ browsers to a malware. Interestingly enough – the runner-up is “Mal/ObfJS” – Obfuscated javascript, again no a virus or malware but a simple technique to hide exploits from signature matching inspection.

How come? Well, remember that signature-based solutions are in a dire need to be able to stop the more common techniques employed by attackers (we have actually started to report on them during 2006), since the detection technology is limited in detecting the obfuscation and evasive techniques – typically signaturing the de-obfuscating portions of the script.

This has led to the recent reports of false-positives by multiple AV vendors lately, as active-content is becoming more and more complicated, and the ways to express an action in interpreted code are very complex – meaning that signatures in this realm are almost obsolete (you can see the honorary mention of the “DF” function (Mal/FunDF) in the 10th place, which is a signature on a specific de-obfuscating function – again, no mention of any malicious action taken by it, it’s just that it had it’s 15 minutes of fame when it was used by toolkits to deliver actual malicious code…)

Looking forward to 2008 I really hope that the industry as a whole will not be lagging behind the attack vectors as it did in 2007, and new and improved engines would enable end-users (especially consumers who do not benefit from the more sophisticated solutions offered to enterprises) to have better protection when using the internet.

I know what my new-year resolutions are – do you?

Related posts:

1. Have something to hide? make a lot of noise about it!
2. IFRAME is a security risk???
3. Playing with obfuscators – teaching an old dog new tricks…